task sync relies on embedded/integrated certificate store and does not obey system store

[snicker]

Recently corporate IT implemented TLS inspection using ZScaler and suddently my ability to synchronize tasks with my taskwarrior sync server is failing with an "unknown issuer" error, using Taskwarrior 3.1.0 and the task sync command:

Failed to synchronize with server: Server Error: https://[redacted]/v1/client/get-child-version/[redacted]: Connection Failed: tls connection init failed: invalid peer certificate: UnknownIssuer

output from openssl, showing that the system level certs handle intercepting and modifying trust chain (though this is not something I am really fond of)

$ openssl s_client -connect [redacted]:443           
Connecting to [redacted]
CONNECTED(00000005)
depth=3 C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com
verify return:1
depth=2 C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net), emailAddress=support@zscaler.com
verify return:1
depth=1 C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
verify return:1
depth=0 CN=*.[redacted], O=Zscaler Inc., OU=Zscaler Inc.
verify return:1
---
Certificate chain
 0 s:CN=*.[redacted], O=Zscaler Inc., OU=Zscaler Inc.
   i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 17 14:16:07 2024 GMT; NotAfter: Sep 28 03:46:25 2024 GMT
 1 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
   i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net), emailAddress=support@zscaler.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 14 03:46:25 2024 GMT; NotAfter: Sep 28 03:46:25 2024 GMT
 2 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net), emailAddress=support@zscaler.com
   i:C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun  5 05:32:29 2020 GMT; NotAfter: Jun 23 05:32:29 2041 GMT

compared to how this cert chain ought to look:

Certificate chain
 0 s:CN = *.[redacted]
   i:C = US, O = Let's Encrypt, CN = R10
 1 s:C = US, O = Let's Encrypt, CN = R10
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

the change seems to be necessary to make in taskwarrior/taskchampion to use system level certs? but I am not a TLS expert.

similar issue is described here: https://github.com/volta-cli/volta/issues/1427 and the fix: https://github.com/volta-cli/volta/pull/1375

I can't seem to find any workaround to support this.

[djmitche]

Would you be able to test a patch?

[snicker]

i should be able to- might take me a day or two to get a build environment set up

[djmitche]

Check out the diff in #3626?

[djmitche]

@snicker were you able to test that patch?

[snicker]

unfortunately no, the next day an exception was added that made it impossible to test as the certificate was no longer intercepted

[djmitche]

OK, that's fine. I filed https://github.com/GothenburgBitFactory/taskchampion/issues/460 to track this in TC, and once that's done I think we could add a build flag for Taskwarrior. That should probably default to using the built-in certs, as that's the safer option.

[djmitche]

OK, this can be added once the next release of TaskChampion is merged.

[djmitche]

TaskChampion is updated, so now it's time to make this feature accessible in TW.